Panel Discussion – Afternoon
CRAIG ASTON [00:00:02] Hi, everybody, welcome back to the Panel. As Andy was just saying, The Panel is Security Automation, is this what you’ve been waiting for? I’m delighted to be hosting this and having just been listening to the sessions, just even the last 2 sessions. So, sure, it shows the breadth of what we’ve been talking about today and talking about solar winds. One of the more mature players in the market and then immediately moving to cybersecurity around blockchain.Thanks for the fantastic day. I think the presenters kept it very, very crisp. I know Andy has been working hard and has obviously been dropping people in it. And giving them surprises all through the afternoon. So for me, I’m delighted to be able to welcome my panel guests onto this panel. Firstly, we’ve got our Aurelie Stutz, who’s Head of Data Protection and Data Protection Officer for Mencap. We’ve got Mariana Pereira, Director of the Email Security Products at Dark Trace. And finally, Simon Eyre, who is Managing Director for Europe for Drawbridge. So welcome, everybody. It’s great to great to see you. Thank you very much for spending the time with us. I think we’ve got to start really just talking about current situation. We’re obviously all still sat in our homes, all still working with this. And I suppose that the first thing really would just be to talk around. Have you found the lockdown and what’s it been like? So I will start with you Aurelie, how has it been for Mencap, both overall, but also from a cybersecurity and data protection point of view? Hi Aurelie. I’m afraid we’re having problems with your sound at the moment, so we’re struggling to hear you. So a guy from studio is going to try and fix that.
AURELIE STUTZ [00:02:01] I’m sorry. Can you hear me now?
CRAIG ASTON [00:02:05] There we go. We can hear you now. That’s much better. I can see you speaking Aurelie. We’re struggling to hear you. So let’s get him. How’s the lockdown been for Mencap overall? And also from a cyber and data protection point of view?
AURELIE STUTZ [00:02:21] It’s been challenging like for everybody else, but also it was very adaptable, everyone was. Our team was created about 6 months ago. So in those 6 months, along with Infosec, we’ve managed to ramp up the awareness of, you know, how importance Infosec and data protection and security is. So all the leadership of Mencap was actually quite aware of the importance of that when the lockdown happened. As soon as it became clear that the offices would be closed, the business as to who of the appropriate governance and advice for all the operations stopped. It was brilliant. Definitely seeing a lot of vocalisation to the 21st century in a way. So, yeah, it was good.
CRAIG ASTON [00:03:17] Excellent. That’s that’s good to hear. I mean, it sounds as though you attacked it with vigour and had a really good time and actually had a supportive management team as well by the sounds of things which are also important. I’m actually having that support. So if I could just hand over to Mariana, my assumption would be the Dark Trace have been really, really busy in this period given what Dark Trace’s do. So is that correct? Given the threats that everybody’s facing?
MARIANA PEREIRA [00:03:48] That’s absolutely correct. We had come out of a very busy beginning of 2020, actually, with already a fourfolding increasing in the demand of our product even before the various shelter in place, lockdowns and a flexible working conditions started. And I think it’s just gotten busier for everyone, really. And I’m sure that now it’s changed a lot of the dynamics and it’s changed a lot the way in which we think of what is the corporate environment or the corporate network. And it has really accelerated a lot of the trends that we had been seeing already for the last couple of years. So it’s been a roller coaster for sure.
CRAIG ASTON [00:04:28] Yeah, I can imagine. I thought it would have been. And just to bring Simon into this, I know Drawbridge tend to focus on the financial services area. So I suppose the question there is, what’s it been like in financial services around this time?
SIMON EYRE [00:04:43] Yeah, you’re absolutely right. And I think for Drawbridge as a business, the first thing for us as we have very distributed business model anyway. So for us, the transition wasn’t that difficult, be absolutely right for our clients. That was a very different experience. Most of our clients tend to be in the financial services market. So hedge funds, private equity, and we’re providing cybersecurity services for them there. And so for them, changing from this sort of very typical business continuity planning and disaster recovery planning model that used to be essential services, essential staff into now all of your staff, your non-essential staff over a long term plan was a very rapid and significant change for a lot of them. And that’s where I think the real bulk of the work came into being able to upscale a lot of what they thought would be sufficient into this long term working model.
CRAIG ASTON [00:05:44] Yes, that’s fascinating. It is particularly I know the private equity market in particular, they all like to be sat in meeting rooms. So I’m actually learning to work remotely has been a big change for that marketplace. Meeting rooms or lunch venues? So I suppose just thinking back around actually these challenges around working from home. I suppose really back to early. So how did you find… How did your team address all the challenges of actually having so many people then working at home? What were the key challenges you found?
AURELIE STUTZ [00:06:21] A lots of it, a different direct rights and our biggest is personal support, which is providing support to people with earnings abilities in their day to day lives and no money. That’s Savary paper-Based operation. You know, it’s obviously anything that you spare preparer’s that you take house to house and then back home you have an opportunity to lose. So this year, anyway, Mencap was moving from that paper-based model to an app base model where all of that could be done on, you know, their work phone. That reduced a lot. We had a lot of spike in obviously phishing, social engineering via email and phone. And we basically launched new GDPR in Infosec training as soon as we went into lockdown. And we also keep up the awareness of that via a communication plan. So every week we have some engagement with Mencap staff so that they are aware of what can happen. And anytime we hear of, you know, funding being awarded for a particular piece of work, we are so make that particular team aware that they will be targeted for it because generally all opportunities are advertised. Quite typically and not make us vulnerable. So it’s a lot our approach is a lot about awareness and making people understand why it’s important. I mean, you know, we also have all the usual techy bits, which is mostly, mostly people based.
CRAIG ASTON [00:08:11] Yeah, yeah, I see, I see that. I think that’s really interesting listening about the human side. It really is the human side and the training and the awareness and various other things. I think it’s only fair. It’s fun. Yeah. Make it fun. Absolutely. Making fun and making sure people are collaborating. I think really giving you started talking about the technical bits, but I think it’s only fair to hand over to Mariana given she runs the security products for email. Mariana, what have you seen around particularly around email at messaging that have been the real threats that have been coming through at this stage?
MARIANA PEREIRA [00:08:46] So we’ve had a very interesting experiment happening in front of our eyes, if you will. And we followed how attackers have already changed and adapted their attack types throughout lockdown. What started at the end of February and March as an increase in sphere in campaigns started phishing campaigns that we call fear ware. So they prey on the fear, uncertainty and doubt. And so it was emails that were promising updates on COVID for the latest information. Those emails were very quickly and vastly spread out and we saw many of those campaigns actually reach or try to reach some of our customers environments. And then a few weeks later, already we saw that shift. We saw how, rather than these mass phishing campaigns, they actually adapted the message. And we started seeing not just campaigns that we’re trying to pretend to be from the CDC, but things even like, oh, your VPN has been compromised. Click here for the latest download. So we’ve seen attackers change the topic of their emails to reflect the changes in the dynamic workforce and how people and companies adapted to lockdown. So, so many have prioritised or accelerated that spends and that investment in security tools. And now, exactly as early it said, it’s so much of it is also making those users aware and safe. And the new way of working. And so security teams, I think, have also adapted the way thinking not just to think in terms of structure and a corporate network, but really it doesn’t matter where the workforce is. Right. If they’re using email or Cloud or the device that was issued by this security team or if it’s their own devices. Because now we’re on home networks, all of these things are blending into a much more complex environment. And the attackers are taking advantage of that complexity.
CRAIG ASTON [00:10:41] That’s great, thank you. That’s really interesting. We’ve seen the variation in attacks, certainly different attack types, and that’s definitely true. And we’re obviously going to have a lot of end-users and various other things watching us now. What would you say are the best practises that they can they could be looking at in trying to secure those things? How would you… What advice would you give if you could give a couple of things that they shouldn’t be doing?
MARIANA PEREIRA [00:11:05] Well, I think that one one helpful way of thinking about the problem is to reshift shift away from thinking of something that is good or bad. When we think of security tools and how to approach security. And change that question to does it belong? And it’s really powerful to have that shift in mentality because we have seen how many times the failed approach of something is good or bad or cannot be allowed in or not on that binary notion. It doesn’t really play well in the shades of grey that reality in our lives have. So because that is very difficult. And whether or not something belongs. It’s a difficult and complex question. Where we can really get some help is not only from automating those processes that we know one trusts, but also is to bring in technology such as A.I. that can adapt and learn with our changes in our patterns of working and in our workforce that can help our security teams address that question of does this belong or is this unusual? And something can be unusual that can be absolutely fine or something can be unusual and it’s actually the very beginning of an threats or an attack. So changing that mentality, not only for good versus bad, will allow us to think, how can I stop and spot the very first indicators of a compromise before they escalate into a crisis?
CRAIG ASTON [00:12:28] Mm-hmm. I think that’s right. It is trying to spot it as early as possible, isn’t it? to try and try and stop it getting worse. Do you think Aurelie do you think that the data protection and cybersecurity? I don’t know, markets or skill set. Do you think they’re starting to blend? Do you think that there’s a lot of crossover in there at the moment?
AURELIE STUTZ [00:12:50] Yeah. Yeah, I mean, each we depend for which organisation. Definitely. So at Mencap, I walk all day with the Head of Infosec. You know, you can’t have real data protection without Infosec. It just go together and I’ve learnt so much about technology and all the things I didn’t know before. So it’s different in. Yeah, you do need those skills. You know, it’s not gonna go back to being simple times of pain and paper and putting it in storage anymore.
CRAIG ASTON [00:13:30] Yeah, I think that’s right. And I think the data protection side is also it’s very important because you do have to you have to have things in place so that you do have ways of getting data back. So should the worst thing happen, that’s really important.
AURELIE STUTZ [00:13:44] And whether it’s legal, you keep that legal while you keep it safe. It goes together.
CRAIG ASTON [00:13:52] Yes, absolutely. Because that plays into GDPR as well. Which is another completely different subject? Was interesting listening to you talk, start to talk about A.I. I’m probably into automation Mariana. Just, talking to Simon, you obviously see a number of organisations in your world around the private equity world and what they are looking at? And what’s coming next in that whole cybersecurity area? What do you see as being the next big things that are going to be coming through?
SIMON EYRE [00:14:21] Yeah, I think for the next big things. I mean, certainly, the technology spread is increasing. And what we feel we see is that you’re moving away from this traditional perimeter model of security. And I think what the focus will be as you come with more automation as well, what it will be is that is the gathering of data sources from multiple scenes. So much like Mariana was talking about with the Darktrace, obviously collecting a lot of data. We see that that’s certainly a shift that’s happening with people working from home. Your perimeter is expanded. So everything you’ve built-in data, workflow, models and the workflow of how it would interact within a corporate normal corporate office environment is changing. Now, you’ve got interactions that aren’t necessarily particularly in the financial world, for example, where two people are referencing whether or not payment should be made. Now, you’re no longer in the office. Things like that are changing. So you end up with doing that communication electronically, making sure that that’s actually being approved and correctly plates through. Also goes back to what you were saying with the email exchanges and monitoring that we’ve seen a very significant increase in typos squatting, for example, and then spearfishing and very targeted, persistent attacks on firms. So all of that’s got a significant increase in and A.I. automation really helps here to help stop the impersonation and tax, to help pull in data from this new perimeter, less environment that we’re working in and be able to really present something to the security team. That’s understandable and that they can actually translate and read through and references to useful information for them to make a decision on what’s happening.
CRAIG ASTON [00:16:04] I think that’s absolutely true. The widening perimeter, I think he’s one of the one of the biggest challenges that everybody faces. Mariana what about yourself? What do you think is coming next? What do you see as the the next the next things in the future?
MARIANA PEREIRA [00:16:19] Yeah. So Simon was talking about some of those examples. You know, it came to mind also the attack that we reported on, somebody who impersonated a board member and it had a possible looking email sender, email address. But, yeah, absolutely this business compromises that are extraordinarily difficult to spot and stop, especially when they come not from type of sporting addresses which are challenging in and out of themselves because they lost often pass those verification systems is also when credentials are stolen and ad campaign or an email is sent from a legitimate account. So that back and forth Simon was talking about. Right. So if you and we’ve found this already, already last year, that attackers are now taking advantage of those credentials, using the history of the back and forth in the email correspondence to learn the style of correspondence and then mimicking that style will send an email in response to a previous one and then they’ll delete it out of their sent mail. When we put that ban together with the advances in A.I. computer systems that can convincingly mimic human behaviour and human interaction, that’s going to supercharge the A.I powered spearfishing attack. And once that comes out there is it will just accelerate something that is already happening, which are these sophisticated impersonation attacks by also bringing down the time that it takes to research and machines and A.I are gonna be able to research this and launch those attacks at speed and scale. So that’s unafraid and future that we’re looking to go towards. But fear not. There is a solution, of course, and I don’t want to be putting fear in anyone inboxes here.
CRAIG ASTON [00:18:03] Yeah, no, I get. And there are as you say, there are solutions out there. And I know that the companies like Darktrace are trying to do working as fast as the criminals to actually keep your systems up to date to actually look at that. Yeah, Aurelie I believe that you’d like to add something to this discussion as well?
AURELIE STUTZ [00:18:25] Yes. Sorry. I think, you know, we’re getting to the techy bit. Which is great. You know this is all about the techy bit. But I think we come from a very flawed assumption. But those people and this stuff walking from home, we already have a secure home, secure equipment and knowledge on how to actually use it. If you look at the charity sector in particular, the care sector, carers are generally in their 50s by now and they’re not technologically illiterate. Some of our staff did not have a smartphone to start with when the lockdown happened. You will have, you know, any person, a young person walking for a charity in London will gernally share an apartment with someone. So that means we need to have specific and tailor advice to them in regards to how to keep that walk confidential there. You know, this scandal situation of.. we are not all in those grate situations where we all have our confidential rooms and houses and we all have the same access to the same equipment, the same knowledge.
CRAIG ASTON [00:19:41] So it comes back to the human factor, doesn’t it? Actually, the fact that it is all people and all the people’s different situations and all organisations have to build what we’re doing to actually work in all those different situations.
AURELIE STUTZ [00:19:54] You have to know how the people who work.
CRAIG ASTON [00:19:57] Exactly right. That’s exactly true. We have to know how people work and the risks around them. I think that brings us onto an interesting point. I know we were talking about yesterday around the role of the Data Protection Officer in all of these things. I think as we’ve seen from what we’ve been talking about already, the landscape and the cybersecurity landscape and everything is becoming more and more complex. How do you think the role of the Data Protection Officer is going to change? And do you actually think companies are very good with Data Protection Officers currently? How do you see it?
AURELIE STUTZ [00:20:32] My experience so far beside Mencap, it seems a lot of organisations don’t actually understand clearly what a DPO actually does. They often underestimate the size of the work or the implications of, you know, what data protection means operationally, because to them the goal is to see GDPR as being involved with day to day operations, just a kind of legal touches on the side. Which obviously, yes, GDPR has a massive impact on your day to day operations. You need to give your DPO enough resources for that. I see a lot of DPO also higher. You know that work by the hour. I’ve seen some of them saying that they give service to about 200 organisations and that’s ridiculous. That’s you can’t actually do your job properly if you do that.
CRAIG ASTON [00:21:27] So do you think it’s a problem that the boards of directors don’t understand the relevance of the DPO and also the importance of it?
AURELIE STUTZ [00:21:39] Yes, exactly. And also the other problem being is that there’s no a lot of qualified DPOs still in the U.K. there’s quite a shortage. So we are quite expensive. So obviously, organisations, especially, you know, in the sector of education or charities which have no money, will not be able to actually afford a DPO full time. So, yes, a very big problem. There’s the financial and that’s the impression that we are only here for auditing and not for actual engagement and day to day advice.
CRAIG ASTON [00:22:14] I think that I think that that makes a really good point. I think the skills around the deeper need are all very different and very difficult to find. But I think that’s a genuine problem across the market. Simon, possibly coming back to you. How does it feel what’s the skills like in the market, the moment you must see a lot around how difficult it is to get cyber and also DPO type skills?
SIMON EYRE [00:22:39] Yeah, the DPO one’s an interesting one as well as to whether or not a business needs one or if they rely on that as some sort of props with upper management, really taking ownership of cybersecurity. And you know, that’s often a concern for us whether data protection is sort of being offloaded as it is a task to do a DPO as much like Aurelie was saying with the DPO for hire, the virtual DPO for multiple businesses. And I think that’s a very difficult thing to do and to do it right. And if your business truly needs a DPO, then it’s something that needs to be addressed. The skill shortages is massive at the moment. It’s it’s absolutely a significant thing. And that’s some. And it’s becoming quite a global thing. I mean, we have GDPR in the UK. America is catching up with California loose rules like CCPOA. New York’s got New York Shield Act is a variety of these that are coming out now, for example. So this is a problem that’s going to get worse, but it is all in the consumer’s best interest in business, best interest to get a proper control of the personal information. And so the power of cybersecurity here in the power of bringing in a certain function of the compliance into that model with data protection is it’s the right way to go. It’s going to it’s we’re almost ahead or slightly on the regulation from the staffing of doing that.
CRAIG ASTON [00:24:04] I think it’s absolutely right. The regulations, the regulations are catching up in the US, I think. But it’s going to take time. And when we see how long it’s taken for GDPR to bed down in Europe, you can imagine it’s gonna take a long time. And Mariana, what’s your view on the skills question?
MARIANA PEREIRA [00:24:23] Yeah, I think it’s a very relevant one. And actually tying back also to the title in general of the Data Protection Officer. We’ve tend to think of it in terms of consumer data. Right. And of course, because there’s so much legislation and new legislation coming out. But one thing that I found really interesting is how companies that hadn’t originally thought of themselves as targets or as valuable targets of cyber attacks have actually become valuable targets because of the shifts in the world. So the financial institution maybe, you know, target they were, 25% of our customer base. Historically, that’s not come down because other industries are catching up. Not for profits, education and across the entire board. And one area that I thought was really interesting to think about was academic research and science research and universities that are at the cutting edge of so many of our vaccine researchers here right now who thrive on collaboration and openness and an open and secure flow of data. Now, the question to them about data protection also is also about protecting that research. It’s protecting that intellectual property. And so I think that as Aurelie was saying, exactly, not everyone has the same maturity and not all industries are also coming with the same amount of investment available. But that’s also shifting because everything is digital and because of hackers and cybercriminals are living in this environment that we’re starting to see a shift in the change away from just thinking about that health record or that bank being compromised to also things like scientific research or universities be targeted, because now that’s so valuable. That’s really valuable data. And we should also, if the DPO didn’t have enough to do before, that is also something to be concerned and considering.
CRAIG ASTON [00:26:17] No, absolutely. It’s. You’re absolutely right. Consumer data has been everybody’s focus because of GDPR. But corporate data will become the next thing, I think, incorporate data protection. So we’ gonna need to wrap this up, guys. It’s been it’s been really interesting. I suppose the last thing to do would be to say many, many thanks for your time. It’s been really interesting to get your insights in what we’ve been doing. And I hope you’ve enjoyed being on The Panel. Thank you very much for being with me.
SIMON EYRE [00:26:49] That’s great. Thank you very much.
CRAIG ASTON [00:26:51] So we’re going to wrap this up now. It’s the end of the day. It’s been a fantastic day. It really has so many different interesting speakers. I think the fact that they were short slots, the fact that it was really, really punchy. Obviously, the interviewers and the hosts have been excellent. And I think hopefully on behalf of all the people who’ve watched today, I’d like to say thanks to everybody who’s contributed. I’ve certainly taken a lot a lot out of it. And I hope everybody has as well. So I’ll sign off now. Thank you very much indeed.